Like the global economy, the governance, risk, and compliance (GRC) software business has experienced plenty of recent turmoil. Unlike the economy, however, the GRC world is used to it. Almost from the beginning, uniting governance, risk, and compliance into a single entity has been a delicate exercise. It required vendors to offer customers working in different business sectors three related, but not always easily integrated, capabilities.

The stock market's meltdown further unsettled this balance. Risk management and governance issues raced to the forefront while compliance, which tends to be at the core of most GRC products, receded into the shadows, at least temporarily.

"Compliance was really not a big factor in the meltdown," says Marc Othersen, senior security and risk management analyst at business technology research firm Forrester Research. "There were some compliance issues, but it was the risk and the governance [parts] where people had the whammies."

Where will that leave the software category in 2009? Michael Rasmussen, president of Corporate Integrity, a Waterford, Wisconsin-based consultancy that specializes in GRC issues, insists that GRC is far more than a handy marketing acronym. It captures a philosophy of business that encompasses oversight, processes, and culture. "Ultimately, GRC is about the integrity of the organization," says Rasmussen. Nonetheless, he expects both recent events and impending changes to the business climate, such as additional regulation, to have a strong impact on the space. "The GRC market today is not necessarily going to be the same one that is around a year from now," he adds. "Change is inevitable."

Properly deployed, Rasmussen says, GRC in bundled or à la carte form should help companies answer four key questions:

• Is the organization properly managed and does it have sound governance?

• Does the organization take risk within risk-appetite and -tolerance thresholds?

• Does the organization meet its legal/regulatory compliance obligations?

• Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?

Critics contend that vendors have allowed customers to stumble when insight was needed most. Some blame vendors for skimping on risk and governance software in favor of more easily salable compliance tools. "The risk function is something software vendors didn't build out very well," Othersen says. "Even if it did work well, it still had issues for some of these companies that had meltdowns."

Even when the software generated accurate and actionable data, customers may not have acted wisely on such information. Some disregarded the GRC-generated alerts and made bad decisions. Whether that's attributable to poor training, ignorance, or an inability or unwillingness to buck the tenor of the times is open to debate. "A lot of them either didn't know how much risk they were assuming," Othersen says, "or they knew exactly how much risk they were assuming but they decided to do it anyway."

Michael J. Duffy, president and CEO of Waltham, Massachusetts-based vendor OpenPages, defends the track record of GRC software. "In the case of the financial-services collapse and subprime crisis, some financial-services institutions — such as Goldman Sachs — did effectively identify the risk of falling home prices and foreclosures on their mortgage-backed securities and exited that business in time," he says. "Others either failed to identify and appreciate the impact of these risks on their business, or chose to ignore their own internal warnings from risk managers and GRC solutions."

Rolling Along
Despite a less than perfect record, GRC vendors still tout the risk-management and governance capabilities of their products. In fact, they see a major marketing opportunity in the subprime crisis and in the current economic distress. "The collapse of the financial markets was a wake-up call," says Narina Sippy, general manager of German software vendor SAP's GRC business unit. "Companies are now taking action to ensure their organization is not next to be splashed across newspaper headlines," she says.

Once awakened, the argument goes, companies will need to invest in software that helps them stay alert. John Capobianco, president and CEO of Lumigent Technologies, says that companies can expect to pay between the mid five figures and low six figures for his company's product, broken out like this: a privately held company with $100 million in sales might pay as little as $53,000, while a midsize, newly public company with $750 million in sales might get started for $75,000, and a multibillion-dollar company with thousands of employees and several locations would begin at $113,000. In all cases, annual maintenance costs would run 22 percent of licensing fees; Capobianco predicts a positive ROI in a couple of audit cycles.

New York–based vendor BWise charges customers based on the number of users and the client's choice of modules. A cost-conscious customer can start small and add modules as needs arise, since the modules are built-in and can essentially be turned on or off at the flip of a switch — or remittance of a check. Like many other vendors, BWise also offers subscription-based pricing for their installed software and software-as-a-service model that allows customers to pay as they go. Implementations normally take from one to three months, depending on a project's complexity. BWise chief technology officer Luc Brandts also stresses a fairly short-term ROI (about one year).

• 1
• 2
• 3
• next »

LinkedIn Company Connections:

• Forrester Research |
• Corporate Integrity |
• OpenPages |
• SAP |
• Lumigent Technologies |
• BWise |
• Deloitte & Touche |
• RF Industries |